Introduction to managing with Least Privilege

Way too many administrators. This is clear. This is made clear through the interpretation of some of the compliance regulations such as SarBox and HIPAA and others. This is clear from our internal security audits. It seems that every time someone asks how many domain administrators there are in a given enterprise the answer is much smaller than the reality. When we talk about local administrator rights, the numbers are staggering.

I usually start conversations about limiting local privileges with a question. "Do you ever have a situation where someone requests that they get local adminsitrative rights because they need to run a specific application?" Always, a resounding yes. "Do you ever take away users local administrative rights, only to have them or their boss (or worse, your boss!) come back to tell you that you have all but destroyed their ability to perform their job?" Again, so many head nods it actually can make the room move!

The purpose of this blog is to spend a few weeks discussing some of the situations that we have come across regarding Managing with Least Privilege and how organization are dealing with these issues.

Come back often, book mark, dog ear, flag, google, pluck the page and share your thoguhts. Three or four of us will be participating in adding just about daily content for you to enjoy. Other than providing some thoughtful articles, dialogs, rants, raves... we will also be providing many links to resources out there that you may find helpful in your quest to completely Manage with Least Privilege.

Discuss this Article 16

Anonymous User (not verified)

on Jul 7, 2005

AHA! Thought I recognized that developer. How'd he/she get in here?
I spent some time working at a large software development house. This had to be THE issue to gnaw on for quite some time. It really boils down to policy. What has THE BUSINESS decided the policy will be?
My biggest pain point as the IT Manager and Site Services Supervisor was Alpha and Beta product being developed, installed and used in the production environment causing downtime.
For us, the end result of 6 months of arguing was, on production systems used for production applications, including email, file access, etc. no administrative rights and no unapproved installations. On system not connected to the production LAN, whatever.
The kicker was providing a suitable test environment that could replicate the production environment, simulating real traffic. Once that was provided, tested and accepted, all of our problems with uptime evaporated.
Mark

We decided when we rolled out Sp2 to move everyone to least privledge. 90% of our users did not notice the difference. A few were ****** tge first time they tried to install something and could not, but we had a good line of communication open with department heads and we wer eable to calm most of them down. Unfortunaely one of our applications sends out monthly updates and I have to go to 25 machines and run updates but that is a vendor issue we just have to deal with.
The hardest people to wean off privlege have been our app/web developers. They all swear they need to be admins on all the boxes they use.. Weaning them will take time..

AMEN!
We just spent over 4 months getting our application developers working with least privledge. That said, there are a few out there that we couldn't get around. Visual Studio was one of the biggies.
Funny concequense of the developers finding out about that. Once the word hit the community that if you had VS 6.0 or VS 2000, then you were provided admin rights to the workstation... within two weeks we saw about a 30-40% surge in VS install requests.

Hi viacoboni
I think you're missing the point here: running with LUA does not only mean removing privileges away from you. Think about it also from a security perspective: I am sure that you know that vast majority of viruses/trojans/rootkits and spyware programs require admin privs to install & spread themselves.
Do you really need to surf the Internet as local admin? Do you need to read email as local admin?
How would you feel if, for example, your Exchange Administrator gets hacked while surfing the web and the entire company email system is compromised ..
There are less and less reasons to use administrative accounts. I am a systems developer myself and I can do most of what I need as an unprivileged user: I only use elevated privileges when I need them. Once your workstation is configured, you can do that too: use RunAs or a commercial solution.
If you still don't agree then tell us what you need admin rights for: you say you NEED them, but it would be interesting to learn what for.
cheers,
Marco

Least privilege on the desktop
I've been running networks where users have least privilege on their desktops for nearly four years. The problems are largely political, not technical. There are various methods that can be used to ensure an application runs correctly under least privilege. For instance on Windows 2000 tools are available to identify security access problems to the file system and registry. On Windows XP application compatibility features allow redirection for write access to the registry and file system.
Applications like those provided by desktop standard are great, but too expensive for most small companies to consider. The ability to change security tokens on the fly depending on the application launched needs to be a feature that is built in to the OS/Active Directory to ensure that compatibility problems generated by least privilege can be resolved quickly.
Getting buy-in from management for least privilege is usually easy. Until they realise this will also apply to them. Once privilege has been granted, it's very difficult to then remove it. You will become the most unpopular guy in your company. You explain the benefits to users time and time again, mainly they'd rather be able to load Quake than have a stable and secure machine (read 'work avoidance'). My colleagues often also fail to understand least privilege. At the first sign of a problem, they will grant administrator access and then never bother to address the real issue.
Least privilege can be tricky to implement, but the technical issues can be worked around. Business and the IT industry needs to change its attitudes towards this. How will your Windows network ever be stable unless you carefully control change and configuration? You need to get buy-in from management, have it written in your IT policy and then explain to users why and how things will change (before implementing!). Even considering all these points, it'll be tough!
Least privilege on the server
Similar issues. 'I need administrator access because...' No good reason usually given. I ask why... because the vendor says so! Not good enough is my response.

Thanks Adam, great comment. We will have lots of discussions around just this. Getting down to the specific privilege that is required for a specific application can be a challenge but the results are going to much better than just granting administrator rights. Additionally understanding token inheritence is critical in managing such an environment. Once the application is given Administrator rights, if the application has an 'open/save' dialog, that user can launch any application with those elevated rights. It is clearly an area of concern.
Thanks for you thoguhts and continue with the feedback. This is a great topic and generally generates a lot of interest.
Best Regards,
Kevin

I take it from the other perspective.
I'm one of those difficult developers you guys talk about. I can't tell you how many times I've legitimately needed to load programs on both my workstation and the many application servers I manage. You might not like to hear it, but I NEED admin rights.
"Oh sure you do," you say. "I've heard that before." You have not wasted the days and weeks I have trying to get permissions for things that do nothing but extend release dates, block progress, and most of all waste money.
I can understand restricting admin rights to some basic users, or possibly even most non-developers/power users, but I can honestly say that the day I'm not an admin on my own machine is the day I look for work elsewhere.

usefullness of this blog? that remains to be seen, but i’m willing to bet that it’ll be entertaining!
what is it with web dev people. “I must be Admin in order to code in .NET!”, what’s that all about. i’m an amateur script mangler at best, so i won’t pretend to understand the languages these guys work with, but needing to be an admin equivalent in order to make a web service work doesn’t sound like the “Secure Computing Initiative” that Gates and Co. promised us. it smacks of lazy coding.

One of the challenges facing large datacenters is the increasing demand by application owners for local admins rights. More often than not, they don't even know why exactly the rights are needed, maybe their vendor told them so. To go back and investigate each and every member of the administrators group on each and every server is a daunting task. Very open to suggestions here...
Thanks - great topic.